Since this is a rather old topic with both sides having valid points I will keep this post short and sweet. I have had no time to measure of investigate in depth and I don't think I will find any.

Both have understandable view points, so let's have a look.


Secure renegotiation makes it easier - THC-SSL DoS
Short non technical background story, when SSL connections are setup they require server-side computational effort (RSA decryption), if you try to setup connections repeatedly this will consume a lot of ressources on the server and might lead to Denial of Service.

THC makes use of the secure renegotiation feature recently introduced to setup ssl connections repeatably, in fact they are using a security feature for abuse.

On the word press site it is claimed that :

Interesting here is that a security feature that was supposed to make SSL more secure makes it indeed more vulnerable to this attack:
URLs :

By Design (Eric Rescorla)

Eric takes a very factual systematic approach to this issue, particularly with regards to the claim that the renegotiation feature makes it "more vulnerable to this attack". (Errata: I previously attributed the blog to Marsh Ray)

The holistic view point by Eric includes the total costs for the attacker to achieve this attack, this is a standard approach to weight whether a certain path an attacker can take is more costly for him and hence less likely to be chosen :
If I want to mount the old, multiple connection attack, I need to incur the following costs:
  1. Do the TCP handshake (3 packets)
  2. Send the SSL/TLS ClientHello (1 packet). This can be a canned message.
  3. Send the SSL/TLS ClientKeyExchange, ChangeCipherSpec, Finished messages (1 packet). These can also be canned.
 His viewpoint on the same exhaustion attack using the secure renegotiation mechanism that is claimed to be make it "more vulnerable" :
Now let's look at the "new" single connection attack based on renegotiation. I need to incur the following costs
  1. Do the TCP handshake (3 packets) [once per connection.]
  2. Send the SSL/TLS ClientHello (1 packet). This can be a canned message.
  3. Receive the server's messages and parse the server's ServerHello to get the ServerRandom (1-3 packets).
  4. Send the SSL/TLS ClientKeyExchange and ChangeCipherSpec messages (1 packet).
  5. Compute the SSL/TLS PRF to generate the traffic keys.
  6. Send a valid Finished message.
  7. Repeat steps 2-7 as necessary.
Eric goes on with :
Briefly then, we've taken an attack which was previously limited by network bandwidth and slightly reduced the bandwidth (by a factor of about 2 in packets/sec and less than 10% in number of bytes) at the cost of significantly higher computational effort on the attacker's client machines. Depending on the exact characteristics of your attack machines, this might be better or worse, but it's not exactly a huge improvement in any case.
and finally concludes with :
All the known defenses are about trying to make it easier to distinguish legitimate users from attackers before you've invested a lot of resources in them, but this turns out to be inherently difficult and we don't have any really good solutions
 I for one rest my case, there isn't anything more to say on this particular subject.

URL :
Recommendations  / FAQ
http://orchilles.com/2011/04/ssl-renegotiation-dos-faq.html




This is a living blog post I will update whenever I have time and new ideas.

TOC

  • Introduction
  • Updates
  • Attacker Classes
  • Attacker Pyramid
  • Q&A
Introduction
The other day I was brainstorming further on the attacker classes I came up with last year (to be modeled into an Security Assurance Model) when I stumbled across one of Dan Guido's presentations  - The way he used pyramids was a perfect fit to make my model more easily understood and to convey more information.
The pyramid display allowed to show the relation between the Type and Amount (Attacker class) and Type and Amount (Value of Business "Asset" at risk)

When trying to model complex interweaving ecosystems you have always to do trade-offs - This is the costs of trying to bring something down to the most common and easiest to grasp level. This is no different - When reading the below note the necessity of doing so and understand that I had to take some shortcuts. Your comments are welcomed per mail or as a comment below.

Updates
  • 24.10.2011 - Renamed "Business Asset" to "Typical Targeted Asset", Added Sophistication Pyramid
  • 24.10.2011 - Added Q&A Section
  • 17.05.2012 - Added my OWASP BENELUX Presentation that is inline with the overall context and further explains the rationale.
  • 17.05.2012 - For consistency : renamed "Targeted" to "Professional" in Pyramid.

Introduction
The presentation I gave at OWASP BENELUX entitled "The Rise of the Vulnerability Markets - History, Impacts, Mitigation" goes further on the rationale behind the proposed Attacker centric Model and implicitly deduced impacts and motivations.





Attacker classes
I thought about including and naming the following attacker classes in my model :
  • Opportunists
  • Targeting Opportunists
  • Professional 
  • State Founded
Opportunists
This class includes but is not limited to Bots, Worms, Mass Malware, Script Kiddies. They are opportunistic in the way that they move on if they don't find a particular known vulnerability. The sophistication is relatively low and to compensate for it they use large scale.

Keywords : Large scale, low hanging fruits, low level of sophistication


Targeting Opportunists
This class represents a more targeted focused group of Opportunists, they don't scan and probe the internet and stop as soon as they stumble across something interesting. They target one organisation in an opportunistic way. Meaning they will mass scan a particular organisation continously looking for weak spots

Keywords : Targeted at a particular organisation, continuous probing, more sophisticated, more motivated



Professional
This class represents digital mercenaries, sophisticated "hackers" that are targeting particular organisations and assets over a period of time. This class does not halt at low hanging fruits or a particular attack vector but tries to get to the goal whatever it takes, they are funded to a certain degree and their sophistication allows them to come up with new ways to attack assets or bypass exploit mitigation techniques.

Keywords : Targeted, motivated, sophisticated


State Founded
This class represents a group of attackers that is very well funded and sophisticated, they represent the interests of nation states. This class is after Intellectual Property, Strategic Assets, Classified Information.

Keywords : Targeted, Specialised, Stuxnet


Attacker Pyramid
Below you see, what I call, an Attacker Pyramid.  The pyramid on the left shows the 4 attacker classes, the surface area indicates the amount of threat agents within that class. The pyramid on the right displays the Asset the attacker class is after and the surface area is an indicative of the value that these assets represent for the business.





Attacker Classes and Sophistication
The Pyramids above can be complemented by an inverse Pyramid representing the Motivation / Sophistication and Funding.
 



Attacker Class Triad
The complete Triad would look like this 





Q&A
What is the difference between this and Veris ?
Veris is post mortem, essentially an incident classification Framework, Veris and "this" have no real link. What is presented here it the concept of adjusting your defenses to the highest attacker class expected (HAE). It serves as a framework to classify data and assets into buckets that will allow you to zone and protect them accordingly.

Why "Attacker class" and not "Threat Agent"
This concept revolves around malicious intent not natural hazards or any of these sorts of more general threat agents. While I do like the term "Threat Agent" and I might change "Attacker class" into something else,  I do still believe it captures the motivation and intent more directly than a generic "Threat Agent".

 
What do you think ? Let me know

Next update :
  • Why is this important at all ? (Hint: Protect critical assets differently depending on the attacker class you want to protect it against)